Change Details

Mirrored from:
https://phabricator.whonix.org/T207
-----
On bountysource:
https://www.bountysource.com/issues/9115540
-----
For better security, ideally, we wouldn't pull binary packages from Debian's repository during the build of Whonix, but compile all packages from source code.
sponsor-B would pay a bounty for implementing this. We agreed to try bountysource to get offers.
For building packages from source code, there is `apt-get source --compile pkg-name`. But for it to work, one has to run `apt-get build-dep pkg-name` beforehand, which downloads binary packages.
Is it possible to get to a point, where all packages that are updated, are compiled from source code beforehand?
Some more info:
https://unix.stackexchange.com/questions/184812/how-to-update-all-debian-packages-from-source-code
TODO:
* add an option to `debootstrap` to install the compile all source packages rather than downloading binary ones
* add an option to or wrapper around `apt-get` to allow installation/upgrade of packages from source code
* patches should be upstreamed to Debian
* bonus, that can be done later: have an option to modify compile flags per package, so we can for example enable compiling as PIE
If helpful, this ticket could be split into smaller tasks.

Mirrored from:
https://phabricator.whonix.org/T207
-----
On bountysource:
https://www.bountysource.com/issues/9115540
-----
For better security, ideally, we wouldn't pull binary packages from Debian's repository during the build of Whonix, but compile all packages from source code.
sponsor-B would pay a bounty for implementing this. We agreed to try bountysource to get offers.
For building packages from source code, there is `apt-get source --compile pkg-name`. But for it to work, one has to run `apt-get build-dep pkg-name` beforehand, which downloads binary packages. Is it possible to get to a point, where all packages that are installed/updated, are compiled from source code beforehand? Seems difficult to break the dependency loops. Some more info:
https://unix.stackexchange.com/questions/184812/how-to-update-all-debian-packages-from-source-code
TODO:
* add an option to `debootstrap` to install the compile all source packages rather than downloading binary ones
* add an option to or wrapper around `apt-get` to allow installation/upgrade of packages from source code
* patches should be upstreamed to Debian
* bonus, that can be done later: have an option to modify compile flags per package, so we can for example enable compiling as PIE
If helpful, this ticket could be split into smaller tasks.

Mirrored from:
https://phabricator.whonix.org/T207
-----
On bountysource:
https://www.bountysource.com/issues/9115540
-----
For better security, ideally, we wouldn't pull binary packages from Debian's repository during the build of Whonix, but compile all packages from source code.
sponsor-B would pay a bounty for implementing this. We agreed to try bountysource to get offers.
For building packages from source code, there is `apt-get source --compile pkg-name`. But for it to work, one has to run `apt-get build-dep pkg-name` beforehand, which downloads binary packages.Is it possible to get to a point, where all packages that are installed/updated, are compiled from source code beforehand? Seems difficult to break the dependency loops. Some more info:
https://unix.stackexchange.com/questions/184812/how-to-update-all-debian-packages-from-source-code
TODO:
* add an option to `debootstrap` to install the compile all source packages rather than downloading binary ones
* add an option to or wrapper around `apt-get` to allow installation/upgrade of packages from source code
* patches should be upstreamed to Debian
* bonus, that can be done later: have an option to modify compile flags per package, so we can for example enable compiling as PIE
If helpful, this ticket could be split into smaller tasks.